System, method, and computer program product for security verification of communications to tenants of an on-demand database service

ABSTRACT

In accordance with embodiments, there are provided mechanisms and methods for security verification of communications to tenants of an on-demand database service. These mechanisms and methods for security verification of communications to tenants of an on-demand database service can enable embodiments to allow tenants to selectively implement security measures with respect to inbound communications, etc. The ability of embodiments to provide such feature may allow tenants to efficiently and effectively implement security measures for in-bound emails.

CLAIM OF PRIORITY

This application is a continuation of U.S. application Ser. No.13/797,828, filed Mar. 12, 2013, which is a continuation of U.S.application Ser. No. 12/357,999, filed Jan. 22, 2009, which claims thebenefit of U.S. Provisional Patent Application No. 61/022,748, filedJan. 22, 2008, the entire contents of which are incorporated herein byreference.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF THE INVENTION

The current invention relates generally to on-demand database services,and more particularly to providing security verification ofcommunication to users of such systems.

BACKGROUND

The subject matter discussed in the background section should not beassumed to be prior art merely as a result of its mention in thebackground section. Similarly, a problem mentioned in the backgroundsection or associated with the subject matter of the background sectionshould not be assumed to have been previously recognized in the priorart. The subject matter in the background section merely representsdifferent approaches, which in and of themselves may also be inventions.

In conventional database systems, users access their data resources inone logical database. A user of such a conventional system typicallyretrieves data from and stores data on the system using the user's ownsystems. A user system might remotely access one of a plurality ofserver systems that might in turn access the database system. Dataretrieval from the system might include the issuance of a query from theuser system to the database system. The database system might processthe request for information received in the query and send to the usersystem information relevant to the request.

There is often a desire to provide security to users of the foregoingdatabase frameworks. For example, communications to users of suchsystems may present potential security threats to information associatedwith the user and to information of an organization associated with theuser. Thus, it is desirable to implement configurable and effectivesecurity measures with respect to these communications.

BRIEF SUMMARY

In accordance with embodiments, there are provided mechanisms andmethods for security verification of communications to tenants of anon-demand database service. These mechanisms and methods for securityverification of communications to tenants of an on-demand databaseservice can enable embodiments to allow tenants to selectively implementsecurity measures with respect to inbound communications, etc. Theability of embodiments to provide such feature may allow tenants toefficiently and effectively implement security measures for in-boundemails.

In an embodiment and by way of example, a method is provided forsecurity verification of communications to tenants of an on-demanddatabase service. In use, a communication destined to a first tenant ofa plurality of tenants using at least one on-demand service is received.Additionally, a plurality of security processes are applied to thecommunication to obtain at least one return code, the at least onereturn code being associated with at least one of the plurality ofsecurity processes. Furthermore, it is determined, based at least inpart on the at least one return code, whether to process thecommunication.

While the present invention is described with reference to an embodimentin which techniques for security verification of communications totenants of an on-demand database service are implemented in anapplication server providing a front end for a multi-tenant databaseon-demand service, the present invention is not limited to multi-tenantdatabases or deployment on application servers. Embodiments may bepracticed using other database architectures, i.e., ORACLE®, DB2® andthe like without departing from the scope of the embodiments claimed.

Any of the above embodiments may be used alone or together with oneanother in any combination. Inventions encompassed within thisspecification may also include embodiments that are only partiallymentioned or alluded to or are not mentioned or alluded to at all inthis brief summary or in the abstract. Although various embodiments ofthe invention may have been motivated by various deficiencies with theprior art, which may be discussed or alluded to in one or more places inthe specification, the embodiments of the invention do not necessarilyaddress any of these deficiencies. In other words, different embodimentsof the invention may address different deficiencies that may bediscussed in the specification. Some embodiments may only partiallyaddress some deficiencies or just one deficiency that may be discussedin the specification, and some embodiments may not address any of thesedeficiencies.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a method for security verification of communications totenants of an on-demand service, in accordance with one embodiment.

FIG. 2 shows a method for security verification of communications totenants of an on-demand database service, in accordance with anotherembodiment.

FIG. 3 shows a system flow diagram for security verification ofcommunications to tenants of an on-demand database service, inaccordance with one embodiment.

FIG. 4 illustrates a block diagram of an example of an environmentwherein an on-demand database service might be used.

FIG. 5 illustrates a block diagram of an embodiment of elements of FIG.4 and various possible interconnections between these elements.

DETAILED DESCRIPTION

General Overview

Systems and methods are provided for security verification ofcommunications to tenants of an on-demand database service.

There is a desire to provide security to users of on-demand databaseservices. For example, communications to users of such services maypresent potential security threats to information associated with theuser and to information of an organization associated with the user.Thus, it is desirable to implement configurable and effective securitymeasures with respect to these communications.

Thus, mechanisms and methods are provided herein for securityverification of communications to tenants of an on-demand databaseservice and can enable embodiments to allow tenants to selectivelyimplement security measures with respect to inbound communications, etc.The ability of embodiments to provide such feature may allow tenants toefficiently and effectively implement security measures for in-boundemails.

Next, mechanisms and methods for security verification of communicationsto tenants of an on-demand database service will be described withreference to exemplary embodiments.

FIG. 1 shows a method 100 for security verification of communications totenants of an on-demand service, in accordance with one embodiment. Asshown, a communication destined to a first tenant of a plurality oftenants using at least one on-demand service is received. See operation102.

In the context of the present description, an on-demand service refersto any service that that is accessible over a network. In oneembodiment, the on-demand service may include an on-demand databaseservice. In this case, an on-demand database service may include anyservice that relies on a database system that is accessible over anetwork.

In one embodiment, the on-demand database service may include amulti-tenant on-demand database service. In the present description,such multi-tenant on-demand database service may include any servicethat relies on a database system that is accessible over a network, inwhich various elements of hardware and software of the database systemmay be shared by one or more customers. For instance, a givenapplication server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows for apotentially much greater number of customers.

Additionally, in the context of the present description, a tenant refersto any user of the on-demand service. For example, in variousembodiments, the tenants may include customers, subscribers, developers,and any other users of the on-demand service.

Furthermore, it should be noted that, in one embodiment, thecommunication may include an email destined to the tenant. Once thecommunication is received, a plurality of security processes are appliedto the communication to obtain at least one return code, the at leastone return code being associated with at least one of the plurality ofsecurity processes. See operation 104.

The plurality of security processes may include any security processcapable of being utilized to obtain a return code. For example, in oneembodiment, the plurality of security processes may include testscorresponding to at least one security protocol. In various embodiments,the security protocol may include one or more of a sender policyframework (SPF) security protocol, a Sender ID security protocol, aDomainKeys security protocol, and a DomainKeys Identified Mail (DKIM)security protocol. Of course, the security protocol may include anydesired security protocol.

In the context of the present description, a return code refers to anycode indicative of a result of a security process. For example, invarious embodiments, the return code may include a code indicative of apass, fail, or neutral result of one or more of the security processes.

Once the return code is obtained, it is determined, based at least inpart on the return code, whether to process the communication. Seeoperation 106. For example, if the return code indicates a failure, itmay be determined that the communication is not to be processed. In thiscase, a refusal to process the communication may be indicated when theat least one return code indicates security checking fails.

In one embodiment, the return code may indicate a pass when at least oneof the plurality of security processes indicates a pass. Additionally,the return code may indicate a pass when none of the plurality ofsecurity processes indicates a failure. Still yet, the return code mayindicate a pass when at least one of the plurality of security processesindicates a pass and none of the plurality of security processesindicates a failure. If a pass is indicated, the communication may beprocessed.

In the context of the present description, processing of thecommunication may include any processing of the communication. Forexample, the processing may include allowing the communication to bedelivered, routing the communication to a destination, storing thecommunication, and/or any other processing. In one embodiment, theprocessing may also include accessing computer code associated with thecommunication (e.g. based on information in the communication, etc.). Inthis case, the processing may further include executing the computercode such that the execution processes the communication. Thisprocessing may include extracting text from the communication,generating contact information based on the communication, establishinga calendar event based on the communication, and/or any other processingdetermined by a user.

If it is determined that the communication is not to be processed, thecommunication may be deleted, directed to a specific location forunprocessed communications, returned to a sender of the communication,or any other action may occur with respect to the communication. In oneembodiment, if it is determined that the communication is not to beprocessed, no action may be taken.

As an option, the return code may be based on a result of combining aplurality of return codes. In this case, determining whether to processthe communication may be based at least in part on the result of thecombing the plurality of return codes. The combination may be a summaryof all of the combined return codes.

In one embodiment, a security preference associated with the firsttenant may be determined based at least in part on the communication.For example, it may be determined that the first tenant has a securityfeature enabled. In this case, the security processes may be implementedwith respect to the communication. Additionally, it may be determinedthat the first tenant has disabled one or more of the securityprocesses. In this case, these security processes may not be implementedwith respect to the communication.

In one embodiment, the security preference associated with the firsttenant may be determined based at least in part on the communication. Inthis case, the security preference may be only implemented with respectto certain senders. For example, if the communication is an email, atleast a portion of an email address of a sender of the email may beverified. As an option, the portion of the email address of the sendermay be verified by comparing the portion of the email address toinformation in a white list (i.e. a list of permitted senders) or ablack list (i.e. a list of blocked senders). In one embodiment, thecapability to blacklist may only be available at a system administratorlevel.

FIG. 2 shows a method 200 for security verification of communications totenants of an on-demand database service, in accordance with oneembodiment. As an option, the present method 200 may be implemented inthe context of the functionality of FIG. 1. Of course, however, themethod 200 may be carried out in any desired environment. Theaforementioned definitions may apply during the present description.

As shown, it is determined whether an email is received. See operation202. If an email is received, it is determined whether an advancedsecurity feature is on. See operation 204.

This determination may be based on a user setting. In this context, the“user” means the owner of the service. For example, a tenant of anon-demand database service may have the ability to enable or disable theadvanced security feature at the email service level; all of thedestination service email addresses associated with this email servicethen inherit this advanced security preference.

If it is determined that the advanced security feature is on, tests areperformed for multiple security protocols. See operation 206. Thesesecurity protocols may include a variety of security protocols.

The tests are then performed with respect to the communication and aresult is produced including a pass indication, a fail indication, or aneutral indication (i.e. neither pass nor fail). This result may bereturned as a return code including a pass, fail, or none code.

It is then determined whether the tests result in at least one pass withno failures. See operation 208. If this is the case, a sender emailaddress of the email is checked against a list of known valid emailaddresses (e.g. a white list, etc.). See operation 210.

In one embodiment, a portion of the email address (e.g. a domain name,etc.) may be compared to a list of valid email addresses or portionsthereof. In these cases, the valid email address may be stored in adatabase associated with the on-demand database service.

Based on this comparison, it is determined if there is a match. Seeoperation 212. If there is a match, a lookup for Apex class code isperformed. See operation 214.

In one embodiment, the lookup may be performed utilizing the emailaddress or a portion thereof. It is then determined whether Apex classcode is found. See operation 216. If Apex class code is found, the codeis retrieved, and the Apex class code is executed. See operation 218.The execution of the Apex class code may perform various functions,based on the context in which the email is received. For example, invarious embodiments, the execution of the Apex class code may result ina event creation in a calendar, a contact creation, a contact update,etc.

It should be noted that, if it is determined that, in operation 208,none of the tests associated with the security protocols pass, or thatat least one of the tests fail, an action may be implemented. Seeoperation 220. Similarly, if it is determined that the sending emailaddress of the email does not match a known valid email address, inoperation 212, an action may also be implemented.

In these cases, the action may include any action such as quarantiningthe email, returning the email, rejecting the email, deleting the email,etc. In one embodiment, the action may include a user defined action.

In one embodiment, using the techniques described in the context of FIG.2, a method for applying one-click email security around inbound emailsin a multi-tenant environment may be implemented. In this way, a tenantmay enable advanced SMTP email security mechanisms such as SPF,SenderId, DomainKeys or DKIM with a simple one-click administrativeaction. Additionally, the complexity of the security processes may behidden from the user. This may be useful if the tenant does notunderstand the underlying email security technologies, the tenant mayonly need to perform a one-click check to enable the advanced securitychecking/verification.

Furthermore, the dependency of the user to understand what securityprotocols are available and supported by the sending email system isremoved. Still yet, the email system may not need to change anyunderlying logic depending on the security protocols available withinthe sending system. The email system may simply pass the results of anyand all security protocols that are supported and utilized by both thesending and receiving email systems into an advanced security algorithm.As a result, the system may be allowed to transparently change theunderlying algorithm and to add or remove support for additionalsecurity protocols without requiring any changes in a configuration of atenant.

In one embodiment, when the advanced security feature has been enabled,a processing algorithm may translate the various pass, soft failure,hard failure, and “none” return codes that are applicable to eachspecific security protocol that is available and supported for a givenemail connection, into a simple process return code (PRC) ofpass/fail/none.

In one embodiment, the resulting inbound email may be processed when thesum of “Fail” return codes is equal to zero (i.e. no failures) and thesum of “Pass” return codes is greater than or equal to one (i.e. atleast one security protocol must pass). If the advanced securitychecking passes, the inbound email may then be processed. If theadvanced security checking fails, the inbound email may not be processedand the tenant may optionally be notified. For example, the tenant maybe notified via different user defined mechanisms.

In some cases, an organization administrator may be responsible forcreating email services that are available for the configuration ofemail services addresses by either the administrator or other users inthe organization associated with the administrator. In variousembodiments, an administrator may have the ability to specify differentattributes/functionality when creating the email service. The functionname may be required as part of creating the email service.

As another option, the administrator may specify an Apex class thatimplements an inbound messaging email handler interface that will beinvoked when an inbound email is received. Additionally, theadministrator may specify whether text and/or binary attachments will bepassed if received and whether the security function is active. Inanother embodiment, the administrator may specify a list of domainsand/or addresses that may be considered valid senders for the function,whether to bounce, discard, or re-queue the message in the case ofexceeding the daily rate limit for the organization, whether to bounceor discard the message if the email address is currently marked inactiveby the administrator, whether to bounce or discard the message if theemail service is currently marked inactive by the administrator, andwhether to bounce or discard the message if the security checks fail.

Once an email service is created, the administrator may create emailservices addresses associated with the email service. In one embodiment,the administrator may accomplish this using the email service and bychoosing a “New Email Address” button. As a result of this selection,the administrator may be presented with another page that allows theadministrator to specify whether the address is active or not, and theowner of the address. The owner may be an administrator, a user in anorganization of the administrator, or may be a user corresponding to ahandler that is implemented when an email is received for this address.Still yet, the administrator may be able to specify a list of domainsand/or addresses that may be considered valid senders for the function.This may be used in conjunction with the list specified at a servicelevel.

In one embodiment, an Apex class author may write the Apex code toprocess the inbound email. For example, the class author may implement apredefined interface to make the class ready for processing inboundemails.

As an option, the organization user may be prohibited to set up ormodify anything related to this feature. As another option, anInboundEmailHandler interface may be used rather than exposingWebServices. In some cases, this may be cleaner from a customer point ofview because the customer may not know that WebServices is beingutilized.

As noted above, security features may be provided to allow for theenforcement of existing protocols, as well as the ability to specify alist of authorized senders. This security may be implemented to ensurethat mail may only be received from a specified set of addresses and toensure that the sender is authentic. As an option, further security maybe provided in the encryption of a token in the mail domain.

The security may be configurable by a user and an administrator. Oncethe security has been defined, it may be enforced in a call from a mailcatcher service to an application. If advanced security for the functionhas been specified to be required, then the results of the protocols maybe used to evaluate the email.

An SMTP server may map the results of the checks against these protocolsto pass, fail, or none codes. The SMTP server passes these results to amail catcher server in headers. The mail catcher server then passes theresults into a call for processing (e.g. a GetContext call, etc.).

In one embodiment, a “Fail” result from any of these protocols mayresult in the mail being rejected. Additionally, if at least one “Pass”result is received, the mail may be accepted. In the case of a rejectionbased on this criteria, an action as specified by a function (e.g. an“AuthenticationFailureAction,” etc.) may be taken such that the messagemay either be bounced with an indication of why the authenticationfailed, or discarded, etc. The bounce messages for these cases mayinclude any message such as “The {0} check failed,” or “Noauthentication check passed,” etc.

As an option, if authorized users have been specified by an organizationadministrator for the function, or by the user for the specific emailaddress, then the sending user may be validated against those users. Afailure to match those users may result in the action (e.g. bounce ordiscard, etc.) as specified by the respective function configurations(e.g. a “ServiceLevelSenderAuthorizationFailed” function and an“AddressLevelSenderAuthorizationFailed” function, etc.). In this case,the bounce text message may include any message such as “The senderaddress {0} is not authorized for this service.”

Assuming that all of these checks have passed, then a session IDassociated with the service owner specified at address creation time, orthe creating user if no service owner is specified, may be returned foruse by the mail catcher server in invoking the specific function throughthe web service interface. In addition, an attachment processingspecified by the administrator at function creation time may be returnedto the mail catcher server and the mail catcher server may remove anyattachments that do not match the specified criteria.

In one embodiment, an email rate limiting may also be implemented. Income cases, a mail service rate may be limited separately from anexisting API rate limiting. If this is the case, there may be two valuesrelated to rate limiting attributed on an organization, an emailservices rate limit that indicates the current daily limit for inboundemail and has a maximum number (e.g. one million, etc.), and an emailservices rate multiplier that is used to determine the daily limit forinbound email based on a number of licenses in the organization. As anoption, this may have a default value (e.g. 1,000, etc.).

In one embodiment, both of these organization values may be editable.The email rate limit may be obtained by examining the organization value“EmailServicesRateLimit.” If this value has been manually set in thedatabase then that value may be returned. Otherwise, the default valuemay be calculated by multiplying the number of active licenses in theorganization by the “EmailServicesrRateMultiplier” organization value.

As an option, any mail that exceeds the daily rate limit by default maybe bounced to the sender with a message specified in a label file. Thetext of this label may be “<recipient> cannot receive any more emailstoday,” although the organization may specify that the mail bediscarded.

FIG. 3 shows a system flow diagram 300 for security verification ofcommunications to tenants of an on-demand database service, inaccordance with one embodiment. As an option, the system flow diagram300 may be implemented in the context of the functionality of FIGS. 1-2.Of course, however, the system flow diagram 300 may be implemented inany desired environment. Again, the aforementioned definitions may applyduring the present description.

As shown, a user 302 sends an email to a contact 304 and blind copies aninbound address associated with a tenant of an on-demand databaseservice. The email then arrives at an SMTP gateway including one or moreSMTP servers 306 of the on-demand database service.

Any email with the appropriate domain name is then routed to a mailcatcher server 308. At the mail catcher server 308, thedestination/service email address is decoded and an instance of theaddress is looked up for verification purposes. If all of the securitychecks pass (e.g. advanced security protocol checks, whitelist at theservice and destination address levels, etc.), then the mail catcherserver 308 sends an SOAP request with email properties to invoke Apexcode to an application/API server 310.

The Apex code is then executed to examine the email. As a result of theexecution, any contacts/leads are discovered and such contact/leads maybe stored. Of course, the execution of the Apex code may result in anynumber of operations as defined by the developer.

System Overview

FIG. 4 illustrates a block diagram of an environment 410 wherein anon-demand database service might be used. As an option, any of thepreviously described embodiments of the foregoing figures may or may notbe implemented in the context of the environment 410. Environment 410may include user systems 412, network 414, system 416, processor system417, application platform 418, network interface 420, tenant datastorage 422, system data storage 424, program code 426, and processspace 428. In other embodiments, environment 410 may not have all of thecomponents listed and/or may have other elements instead of, or inaddition to, those listed above.

Environment 410 is an environment in which an on-demand database serviceexists. User system 412 may be any machine or system that is used by auser to access a database user system. For example, any of user systems412 can be a handheld computing device, a mobile phone, a laptopcomputer, a work station, and/or a network of computing devices. Asillustrated in FIG. 4 (and in more detail in FIG. 5) user systems 412might interact via a network with an on-demand database service, whichis system 416.

An on-demand database service, such as system 416, is a database systemthat is made available to outside users that do not need to necessarilybe concerned with building and/or maintaining the database system, butinstead may be available for their use when the users need the databasesystem (e.g., on the demand of the users). Some on-demand databaseservices may store information from one or more tenants stored intotables of a common database image to form a multi-tenant database system(MTS). Accordingly, “on-demand database service 416” and “system 416”will be used interchangeably herein. A database image may include one ormore database objects. A relational database management system (RDMS) orthe equivalent may execute storage and retrieval of information againstthe database object(s). Application platform 418 may be a framework thatallows the applications of system 416 to run, such as the hardwareand/or software, e.g., the operating system. In an embodiment, on-demanddatabase service 416 may include an application platform 418 thatenables creation, managing and executing one or more applicationsdeveloped by the provider of the on-demand database service, usersaccessing the on-demand database service via user systems 412, or thirdparty application developers accessing the on-demand database servicevia user systems 412.

The users of user systems 412 may differ in their respective capacities,and the capacity of a particular user system 412 might be entirelydetermined by permissions (permission levels) for the current user. Forexample, where a salesperson is using a particular user system 412 tointeract with system 416, that user system has the capacities allottedto that salesperson. However, while an administrator is using that usersystem to interact with system 416, that user system has the capacitiesallotted to that administrator. In systems with a hierarchical rolemodel, users at one permission level may have access to applications,data, and database information accessible by a lower permission leveluser, but may not have access to certain applications, databaseinformation, and data accessible by a user at a higher permission level.Thus, different users will have different capabilities with regard toaccessing and modifying application and database information, dependingon a user's security or permission level.

Network 414 is any network or combination of networks of devices thatcommunicate with one another. For example, network 414 can be any one orany combination of a LAN (local area network), WAN (wide area network),telephone network, wireless network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. As the most common type of computer network in currentuse is a TCP/IP (Transfer Control Protocol and Internet Protocol)network, such as the global internetwork of networks often referred toas the “Internet” with a capital “I,” that network will be used in manyof the examples herein. However, it should be understood that thenetworks that the present invention might use are not so limited,although TCP/IP is a frequently implemented protocol.

User systems 412 might communicate with system 416 using TCP/IP and, ata higher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. In an example where HTTPis used, user system 412 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages to and from anHTTP server at system 416. Such an HTTP server might be implemented asthe sole network interface between system 416 and network 414, but othertechniques might be used as well or instead. In some implementations,the interface between system 416 and network 414 includes load sharingfunctionality, such as round-robin HTTP request distributors to balanceloads and distribute incoming HTTP requests evenly over a plurality ofservers. At least as for the users that are accessing that server, eachof the plurality of servers has access to the MTS' data; however, otheralternative configurations may be used instead.

In one embodiment, system 416, shown in FIG. 4, implements a web-basedcustomer relationship management (CRM) system. For example, in oneembodiment, system 416 includes application servers configured toimplement and execute CRM software applications as well as providerelated data, code, forms, webpages and other information to and fromuser systems 412 and to store to, and retrieve from, a database systemrelated data, objects, and Webpage content. With a multi-tenant system,data for multiple tenants may be stored in the same physical databaseobject, however, tenant data typically is arranged so that data of onetenant is kept logically separate from that of other tenants so that onetenant does not have access to another tenant's data, unless such datais expressly shared. In certain embodiments, system 416 implementsapplications other than, or in addition to, a CRM application. Forexample, system 416 may provide tenant access to multiple hosted(standard and custom) applications, including a CRM application. User(or third party developer) applications, which may or may not includeCRM, may be supported by the application platform 418, which managescreation, storage of the applications into one or more database objectsand executing of the applications in a virtual machine in the processspace of the system 416.

One arrangement for elements of system 416 is shown in FIG. 5, includinga network interface 420, application platform 418, tenant data storage422 for tenant data 423, system data storage 424 for system dataaccessible to system 416 and possibly multiple tenants, program code 426for implementing various functions of system 416, and a process space428 for executing MTS system processes and tenant-specific processes,such as running applications as part of an application hosting service.Additional processes that may execute on system 416 include databaseindexing processes.

Several elements in the system shown in FIG. 4 include conventional,well-known elements that are explained only briefly here. For example,each user system 412 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. User system 412 typically runs an HTTP client, e.g., abrowsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, PDA or other wireless device, or the like,allowing a user (e.g. subscriber of the multi-tenant database system) ofuser system 412 to access, process and view information, pages andapplications available to it from system 416 over network 414. Each usersystem 412 also typically includes one or more user interface devices,such as a keyboard, a mouse, trackball, touch pad, touch screen, pen orthe like, for interacting with a graphical user interface (GUI) providedby the browser on a display (e.g. a monitor screen, LCD display, etc.)in conjunction with pages, forms, applications and other informationprovided by system 416 or other systems or servers. For example, theuser interface device can be used to access data and applications hostedby system 416, and to perform searches on stored data, and otherwiseallow a user to interact with various GUI pages that may be presented toa user. As discussed above, embodiments are suitable for use with theInternet, which refers to a specific global internetwork of networks.However, it should be understood that other networks can be used insteadof the Internet, such as an intranet, an extranet, a virtual privatenetwork (VPN), a non-TCP/IP based network, any LAN or WAN or the like.

According to one embodiment, each user system 412 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium® processor or the like. Similarly, system 416(and additional instances of an MTS, where more than one is present) andall of their components might be operator configurable usingapplication(s) including computer code to run using a central processingunit such as processor system 417 of FIG. 4, which may include an IntelPentium® processor or the like, and/or multiple processor units. Acomputer program product embodiment includes a machine-readable storagemedium (media) having instructions stored thereon/in which can be usedto program a computer to perform any of the processes of the embodimentsdescribed herein. Computer code for operating and configuring system 416to intercommunicate and to process webpages, applications and other dataand media content as described herein are preferably downloaded andstored on a hard disk, but the entire program code, or portions thereof,may also be stored in any other volatile or non-volatile memory mediumor device as is well known, such as a ROM or RAM, or provided on anymedia capable of storing program code, such as any type of rotatingmedia including floppy disks, optical discs, digital versatile disk(DVD), compact disk (CD), microdrive, and magneto-optical disks, andmagnetic or optical cards, nanosystems (including molecular memory ICs),or any type of media or device suitable for storing instructions and/ordata. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, e.g., over the Internet, or from another server, as is wellknown, or transmitted over any other conventional network connection asis well known (e.g. extranet, VPN, LAN, etc.) using any communicationmedium and protocols (e.g. TCP/IP, HTTP, HTTPS, Ethernet, etc.) as arewell known. It will also be appreciated that computer code forimplementing embodiments of the present invention can be implemented inany programming language that can be executed on a client system and/orserver or server system such as, for example, C, C++, HTML, any othermarkup language, Java™, JavaScript, ActiveX, any other scriptinglanguage, such as VBScript, and many other programming languages as arewell known may be used. (Java™ is a trademark of Sun Microsystems,Inc.).

According to one embodiment, each system 416 is configured to providewebpages, forms, applications, data and media content to user (client)systems 412 to support the access by user systems 412 as tenants ofsystem 416. As such, system 416 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another (e.g.in a server farm located in a single building or campus), or they may bedistributed at locations remote from one another (e.g. one or moreservers located in city A and one or more servers located in city B). Asused herein, each MTS could include one or more logically and/orphysically connected servers distributed locally or across one or moregeographic locations. Additionally, the term “server” is meant toinclude a computer system, including processing hardware and processspace(s), and an associated storage system and database application(e.g. OODBMS or RDBMS) as is well known in the art. It should also beunderstood that “server system” and “server” are often usedinterchangeably herein. Similarly, the database object described hereincan be implemented as single databases, a distributed database, acollection of distributed databases, a database with redundant online oroffline backups or other redundancies, etc., and might include adistributed database or storage network and associated processingintelligence.

FIG. 5 also illustrates environment 410. However, in FIG. 5 elements ofsystem 416 and various interconnections in an embodiment are furtherillustrated. FIG. 5 shows that user system 412 may include processorsystem 412A, memory system 412B, input system 412C, and output system412D. FIG. 5 shows network 414 and system 416. FIG. 5 also shows thatsystem 416 may include tenant data storage 422, tenant data 423, systemdata storage 424, system data 425, User Interface (UI) 530, ApplicationProgram Interface (API) 532, PL/SOQL 534, save routines 536, applicationsetup mechanism 538, applications servers 500 ₁-500 _(N), system processspace 502, tenant process spaces 504, tenant management process space510, tenant storage area 512, user storage 514, and application metadata516. In other embodiments, environment 410 may not have the sameelements as those listed above and/or may have other elements insteadof, or in addition to, those listed above.

User system 412, network 414, system 416, tenant data storage 422, andsystem data storage 424 were discussed above in FIG. 4. Regarding usersystem 412, processor system 412A may be any combination of one or moreprocessors. Memory system 412B may be any combination of one or morememory devices, short term, and/or long term memory. Input system 412Cmay be any combination of input devices, such as one or more keyboards,mice, trackballs, scanners, cameras, and/or interfaces to networks.Output system 412D may be any combination of output devices, such as oneor more monitors, printers, and/or interfaces to networks. As shown byFIG. 5, system 416 may include a network interface 420 (of FIG. 4)implemented as a set of HTTP application servers 500, an applicationplatform 418, tenant data storage 422, and system data storage 424. Alsoshown is system process space 502, including individual tenant processspaces 504 and a tenant management process space 510. Each applicationserver 500 may be configured to tenant data storage 422 and the tenantdata 423 therein, and system data storage 424 and the system data 425therein to serve requests of user systems 412. The tenant data 423 mightbe divided into individual tenant storage areas 512, which can be eithera physical arrangement and/or a logical arrangement of data. Within eachtenant storage area 512, user storage 514 and application metadata 516might be similarly allocated for each user. For example, a copy of auser's most recently used (MRU) items might be stored to user storage514. Similarly, a copy of MRU items for an entire organization that is atenant might be stored to tenant storage area 512. A UI 530 provides auser interface and an API 532 provides an application programmerinterface to system 416 resident processes to users and/or developers atuser systems 412. The tenant data and the system data may be stored invarious databases, such as one or more Oracle™ databases.

Application platform 418 includes an application setup mechanism 538that supports application developers' creation and management ofapplications, which may be saved as metadata into tenant data storage422 by save routines 536 for execution by subscribers as one or moretenant process spaces 504 managed by tenant management process 510 forexample. Invocations to such applications may be coded using PL/SOQL 534that provides a programming language style interface extension to API532. A detailed description of some PL/SOQL language embodiments isdiscussed in commonly owned U.S. Provisional Patent Application60/828,192 entitled, “PROGRAMMING LANGUAGE METHOD AND SYSTEM FOREXTENDING APIS TO EXECUTE IN CONJUNCTION WITH DATABASE APIS,” by CraigWeissman, filed Oct. 4, 2006, which is incorporated in its entiretyherein for all purposes. Invocations to applications may be detected byone or more system processes, which manage retrieving applicationmetadata 516 for the subscriber making the invocation and executing themetadata as an application in a virtual machine.

Each application server 500 may be communicably coupled to databasesystems, e.g., having access to system data 425 and tenant data 423, viaa different network connection. For example, one application server 500might be coupled via the network 414 (e.g., the Internet), anotherapplication server 500 ₁ might be coupled via a direct network link, andanother application server 500 _(N-1) might be coupled by yet adifferent network connection. Transfer Control Protocol and InternetProtocol (TCP/IP) are typical protocols for communicating betweenapplication servers 500 and the database system. However, it will beapparent to one skilled in the art that other transport protocols may beused to optimize the system depending on the network interconnect used.

In certain embodiments, each application server 500 is configured tohandle requests for any user associated with any organization that is atenant. Because it is desirable to be able to add and remove applicationservers from the server pool at any time for any reason, there ispreferably no server affinity for a user and/or organization to aspecific application server 500. In one embodiment, therefore, aninterface system implementing a load balancing function (e.g., an F5Big-IP load balancer) is communicably coupled between the applicationservers 500 and the user systems 412 to distribute requests to theapplication servers 500. In one embodiment, the load balancer uses aleast connections algorithm to route user requests to the applicationservers 500. Other examples of load balancing algorithms, such as roundrobin and observed response time, also can be used. For example, incertain embodiments, three consecutive requests from the same user couldhit three different application servers 500, and three requests fromdifferent users could hit the same application server 500. In thismanner, system 416 is multi-tenant, wherein system 416 handles storageof, and access to, different objects, data and applications acrossdisparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses system 416 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 422). In an example of a MTS arrangement, since all of the dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by system 416 that are allocatedat the tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants may opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional functions thatmay be implemented in the MTS. In addition to user-specific data andtenant-specific data, system 416 might also maintain system level datausable by multiple tenants or other data. Such system level data mightinclude industry reports, news, postings, and the like that are sharableamong tenants.

In certain embodiments, user systems 412 (which may be client systems)communicate with application servers 500 to request and updatesystem-level and tenant-level data from system 416 that may requiresending one or more queries to tenant data storage 422 and/or systemdata storage 424. System 416 (e.g., an application server 500 in system416) automatically generates one or more SQL statements (e.g., one ormore SQL queries) that are designed to access the desired information.System data storage 424 may generate query plans to access the requesteddata from the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and may beused herein to simplify the conceptual description of objects and customobjects according to the present invention. It should be understood that“table” and “object” may be used interchangeably herein. Each tablegenerally contains one or more data categories logically arranged ascolumns or fields in a viewable schema. Each row or record of a tablecontains an instance of data for each category defined by the fields.For example, a CRM database may include a table that describes acustomer with fields for basic contact information such as name,address, phone number, fax number, etc. Another table might describe apurchase order, including fields for information such as customer,product, sale price, date, etc. In some multi-tenant database systems,standard entity tables might be provided for use by all tenants. For CRMdatabase applications, such standard entities might include tables forAccount, Contact, Lead, and Opportunity data, each containingpre-defined fields. It should be understood that the word “entity” mayalso be used interchangeably herein with “object” and “table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. U.S. patent application Ser. No.10/817,161, filed Apr. 2, 2004, entitled “CUSTOM ENTITIES AND FIELDS INA MULTI-TENANT DATABASE SYSTEM,” which is hereby incorporated herein byreference, teaches systems and methods for creating custom objects aswell as customizing standard objects in a multi-tenant database system.In certain embodiments, for example, all custom entity data rows arestored in a single multi-tenant physical table, which may containmultiple logical tables per organization. It is transparent to customersthat their multiple “tables” are in fact stored in one large table orthat their data may be stored in the same table as the data of othercustomers.

It should be noted that any of the different embodiments describedherein may or may not be equipped with any one or more of the featuresset forth in U.S. patent application Ser. No. 12/175,082, titled“SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR MESSAGING IN ANON-DEMAND SERVICE,” filed Jul. 17, 2008, which is incorporated herein byreference in its entirety for all purposes; or one or more of thefollowing published applications: US2003/0233404, titled “OFFLINESIMULATION OF ONLINE SESSION BETWEEN CLIENT AND SERVER,” filed Nov. 4,2002; US2004/0210909, titled “JAVA OBJECT CACHE SERVER FOR DATABASES,”filed Apr. 17, 2003, now issued U.S. Pat. No. 7,209,929; US2005/0065925,titled “QUERY OPTIMIZATION IN A MULTI-TENANT DATABASE SYSTEM,” filedSep. 23, 2003; US2005/0223022, titled “CUSTOM ENTITIES AND FIELDS IN AMULTI-TENANT DATABASE SYSTEM,” filed Apr. 2, 2004; US2005/0283478,titled “SOAP-BASED WEB SERVICES IN A MULTI-TENANT DATABASE SYSTEM,”filed Jun. 16, 2004; and/or US2006/0206834, titled “SYSTEMS AND METHODSFOR IMPLEMENTING MULTI-APPLICATION TABS AND TAB SETS,” filed Mar. 8,2005; which are each incorporated herein by reference in their entiretyfor all purposes.

While the invention has been described by way of example and in terms ofthe specific embodiments, it is to be understood that the invention isnot limited to the disclosed embodiments. To the contrary, it isintended to cover various modifications and similar arrangements aswould be apparent to those skilled in the art. Therefore, the scope ofthe appended claims should be accorded the broadest interpretation so asto encompass all such modifications and similar arrangements.

The invention claimed is:
 1. A non-transitory computer-readable storagemedium having stored thereon a plurality of instructions that, whenexecuted by a computer system, cause operations comprising: receiving,at a receiving message system, a communication sent via a sendingmessage system to a user associated with a first tenant of amulti-tenant database system; storing, for the first tenant, a securitypreference indicating a desire to apply, to communications sent to usersassociated with the first tenant, all security processes supported byboth the sending message system and the receiving message system; basedon the security preference of the first tenant, selecting a plurality ofsecurity processes from a set of available security processes, whereinthe plurality of security processes are those security processessupported by both the sending message system and the receiving messagesystem; applying the plurality of security processes to thecommunication; receiving result indications for the plurality ofsecurity processes; determining, based on the result indications,whether the communication passes the plurality of security processes;and in response to determining that the communication passes theplurality of security processes, routing the communication to the user.2. The non-transitory computer-readable storage medium of claim 1,wherein the communication passing the plurality of security processesincludes determining that at least one of the plurality of securityprocesses passed and none of the plurality of security processes failed.3. The non-transitory computer-readable storage medium of claim 1,wherein the operations further comprise: in response to determining thatthe communication passes the plurality of security processes, processingthe communication.
 4. The non-transitory computer-readable storagemedium of claim 3, wherein processing the communication includes atleast one of extracting text from the communication, generating contactinformation based on the communication, or establishing a calendar eventbased on the communication.
 5. The non-transitory computer-readablestorage medium of claim 3, wherein processing the communicationcomprises: accessing, based on a sender of the communication,sender-specific computer code; and executing the sender-specificcomputer code to perform operations on the communication.
 6. Thenon-transitory computer-readable storage medium of claim 1, wherein thesecurity preference of the first tenant is specified by a systemadministrator.
 7. The non-transitory computer-readable storage medium ofclaim 1, wherein the security preference of the user is based on anidentity of a sender of the communication.
 8. The non-transitorycomputer-readable storage medium of claim 1, wherein the operationsfurther comprise: comparing a portion of an email address of a sender ofthe communication with a list of accepted email addresses.
 9. A method,comprising: receiving, at a receiving message system, a communicationsent via a sending message system to a user associated with a firsttenant of a multi-tenant database system; storing, for the first tenant,a security preference indicating a desire to apply, to communicationssent to users associated with the first tenant, all security processessupported by both the sending message system and a receiving messagesystem; based on the security preference of the first tenant, selectinga plurality of security processes from a set of available securityprocesses, wherein the plurality of security processes are thosesecurity processes supported by both the sending message system and thereceiving message system; applying the plurality of security processesto the communication; receiving result indications for the plurality ofsecurity processes; determining, based on the result indications,whether the communication passes the plurality of security processes;and in response to determining that the communication passes theplurality of security processes, routing the communication to the user.10. An apparatus, comprising: at least one processor; and a memoryhaving instructions stored thereon configured to cause the apparatus to:receive, at a receiving message system, a communication sent via asending message system to a user associated with a first tenant of amulti-tenant database system; store, for the first tenant, a securitypreference indicating a desire to apply, to communications sent to usersassociated with the first tenant, all security processes supported byboth the sending message system and the receiving message system; basedon the security preference of the first tenant, select a plurality ofsecurity processes from a set of available security processes, whereinthe plurality of security processes are those supported by both thesending message system and the receiving message system; apply theplurality of security processes to the communication; receive resultindications for the plurality of security processes; and determine,based on the result indications, whether the communication passes theplurality of security processes; and in response to determining that thecommunication passes the plurality of security processes, routing thecommunication to the user.
 11. The method of claim 9, wherein thecommunication passes the plurality of security processes when the resultindications indicate a pass of at least one of the plurality of securityprocesses and the result indications do not indicate a fail of any ofthe plurality of security processes.
 12. The non-transitorycomputer-readable storage medium of claim 1, wherein the applying theplurality of security processes includes implementing one or moresecurity protocols.
 13. The non-transitory computer-readable storagemedium of claim 12, wherein the one or more security protocols includesat least one of a Sender Policy Framework (SPF) security protocol, aSender ID security protocol, a DomainKeys security protocol, or aDomainKeys Identified Mail (DKIM) security protocol.
 14. Thenon-transitory computer-readable storage medium of claim 1, wherein theoperations further comprise: in response to determining that thecommunication does not pass the plurality of security processes,performing at least one of deleting the communication, returning thecommunication to a sender of the communication, or routing thecommunication to a specified location for undeliverable communications.